Open-source SIWE authentication with social login, role-based access control, and multi-tenancy. TypeScript & Python SDKs included.
View on GitHubWallet-native and social login flows, all producing the same JWT identity.
EIP-4361 SIWE messages with nonce protection, domain binding, and automatic signature verification.
Any OAuth2 provider with deterministic identity derivation. Users get a consistent identity regardless of how they sign in.
Authorization code flow with S256 code challenge. Hosted sign-in page or bring your own frontend.
QR-code mobile wallet support via WalletConnect v2. Works with 300+ wallets.
People, AI agents, and applications all share the same role-based access control. A single 6-part permission string governs every action in every tenant.
Assign roles to groups or individual identities. Flat groups collect users, agents, and apps. Role assignments bind to a specific tenant — add one role to a group, every member inherits the permissions.
region:platform:tenantId:resourceType:resourceId:action with wildcards at every level. *:forge:acme-corp:documents:*:read lets an agent read all documents in a tenant.
Callers cannot grant permissions broader than what they hold. Every role assignment and permission delegation is validated against the caller’s own scope — privilege escalation is structurally impossible.
Six default roles — guardius_admin, tenant_admin, platform_admin, developer, viewer, executor — plus custom roles with CRUD APIs. Template variables expand to concrete grants per tenant and platform.
Each platform gets its own namespace with independent configuration, credentials, and rate limits. Tenants within a platform provide further isolation.
Register, enable, and disable platforms. Disabling a platform immediately blocks all auth flows — token exchange, refresh, verify, authorize, and social login.
JWTs include platform_id and tenant_id claims for downstream service authorization.
Create tenants via API with automatic tenant_admin role assignment. Configurable per-identity creation limits.
Per-tenant redirect URI and CORS origin validation enforces OAuth security boundaries.
Every authentication, permission check, and security event is captured with structured metadata for auditing and analytics.
Time-bucketed daily aggregates with sharded partition keys for high throughput. Query by event type, platform, or wallet address.
Security-critical events are preserved under load. Buffer overflow drops non-security events first, ensuring audit trails survive traffic spikes.
Every log line is a JSON object with timestamp, level, service tag, and structured data. Buffered writes for efficiency, immediate flush on errors.
Permission grants, role assignments, group changes, and escalation denials are all emitted as events with full caller context.
Type-safe SDKs with automatic token refresh, PKCE handling, and full RBAC support.
RS256 asymmetric signing with automatic key rotation, refresh tokens, and a public JWKS endpoint.
Asymmetric JWT signing with a public /.well-known/jwks.json endpoint for zero-trust token verification.
One-time-use refresh tokens with automatic rotation. Reuse detection immediately revokes the token family.
SDK-level token lifecycle management. Access tokens refresh transparently before expiration.
HMAC-signed pagination cursors for tamper-proof, stateless pagination across all list endpoints.
Multiple layers of protection against common attacks, from rate limiting to nonce replay prevention.
Per-IP sliding window with exponential backoff. Separate limits for auth, token exchange, and admin endpoints.
Cryptographic nonces with time-bound expiration prevent replay attacks on SIWE messages.
Revoke all refresh tokens for a user with a single timestamp marker. No need to scan or delete individual tokens — instant account-level lockout.
Dynamic origin allowlist from configuration. Production guard rejects startup if no origins are configured.
Guardius shines when you need multiple identity types, tenant isolation, and fine-grained permissions in the same system.
Deploy autonomous agents across customer environments. Each customer is a tenant, each agent gets an agent: identity with permissions scoped to exactly what it needs. The escalation guard ensures no agent can grant itself broader access. Subject-level revocation instantly locks out a compromised agent across all tokens.
Each DAO is a tenant. Members authenticate with their wallets via SIWE, and the same identity works across treasury management, proposal voting, and contributor payments. Social login provides an onramp for non-crypto contributors. A contributor who works for two DAOs gets separate scoped roles for each without conflicting permissions.
tenant_admin → multisig signers | developer → contributorsEach engineering team is a tenant managing shared infrastructure. Platform engineers hold platform_ops with broad read access. Teams get developer roles scoped to their resources — CI pipelines, secrets, deployments. CI/CD bots authenticate as agent identities. Self-service tenant creation lets new teams onboard without filing tickets.
Each studio registers as a platform, each game title is a tenant. Players sign in with wallets for asset ownership or social login for mainstream access — both produce the same JWT identity. Game server bots are agent identities. Origin allowlists enforce that Studio A’s frontend can’t call Studio B’s endpoints.
platform:studio-a → tenant:battle-royale → agent:npc-engineAPI providers register as platforms, enterprise customers are tenants. Each customer gets self-service tenant admin to manage their developers and API keys. The 6-part permission string maps cleanly to API resources. Scoped JWTs let downstream microservices enforce authorization without calling back to Guardius.
*:weather-api:acme-corp:endpoints:forecast:read